fortify

问题 I scanned with HP Fortify SCA 4.10 . Now I would like to export the raw results into Excel format to do data massaging to generate pivot tables. Can anybody suggest a easy or hard way to do it. 回答1: Reference this url for the DB script to get the EXCEL format (export DB output to Excel): How to diff Fortify SCA scans Generate a pdf/rtf/xml Report from an existing FPR ~AWB_Installation_Dir/bin/ReportGenerator -format pdf -f outputFile.pdf -source existing.fpr (replace pdf to your target format

问题 I scanned my application in HP Fortify and getting an issue Cross-Site Scripting: Poor Validation. I am using ESAPI library. I am getting this finding on a Struts application. <%@ taglib prefix="s" uri="/struts-tags" %> <form method='post' name='<s:property value='tableBean.formName'/>' action='Notification.action'> public String printApplications() throws IOException, ServletException { request.setAttribute(TableDisplayBean.TABLE_BEAN, tableBean); } What would be the proper syntax to use

问题 Does anyone have a script to scan a network for a list of hosts to determine if HP Fortify software is installed and provide the version? I tried using a PowerShell script that scans the add/remove section of the registry but Fortify does not appear there. Any assistance would be most appreciated! 回答1: You have at least 3 ways of accomplishing this. Using the registry keys HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node

问题 I am using Visual Studio 2012 and HP Fortify 4.21 with the latest rule packs. The code (C#) lives on the same machine that has HP Fortify and I am only using AWB not SCC. The code successfully builds when the developer does the build, but when I try to scan with Fortify I get an error. ASP Pre-compilation error This error happens whether I am launching from VS or from command line. The logs show no errors or warnings, but stating at the end that there is nothing to store, so a fpr file is

问题 I am using Visual Studio 2012 and HP Fortify 4.21 with the latest rule packs. The code (C#) lives on the same machine that has HP Fortify and I am only using AWB not SCC. The code successfully builds when the developer does the build, but when I try to scan with Fortify I get an error. ASP Pre-compilation error This error happens whether I am launching from VS or from command line. The logs show no errors or warnings, but stating at the end that there is nothing to store, so a fpr file is

问题 Fortify is giving Path Manipulation error on line where new File(path) comparison is made. I'm using Struts 2. Can any one tell me how to fix this issue so that fortify won't give this error? private boolean filePresent(String fileName) { if (fileName != null) { String path = getDirPath(); if (path != null) { path = path.endsWith("/") ? path : path + "/"; path = path + fileName; if (new File(path).exists()) { setFileName(fileName); return true; } } } return false; } I need to see whether the

问题 I want to supress the issues(which ever i want) fortify shows on the report in java files either by annotations or other means. like we supress PMD issues using @supressWarnings(PMD.XXX) 回答1: There are Java annotations you can use within code to say for example that a function "cleanses" taint. Further information and the relevant jars are available in /Samples/advanced/javaAnnotations/ With regard to suppressing other issues, these is partly what auditing is about as you can audit issues as

问题 HP fortify scan gives me a message as Mass Assignment: Insecure Binder Configuration ( API Abuse, Structural ) for most of the Action Methods in my controller. Below is the example of the action method. <HttpPost> Function Edit(model as GridViewModel) Dim manager as new Managers manager.Edit(model.id, model.name, model.desc,model.class) Return Nothing End Function When I tried following method the error was gone. <HttpPost> Function Edit(id as integer?,name as string, desc as string, class as

问题 we have been using fortify tool in our code to check for security vulnerabilities. We were able to fix most of the issues, but there are some issues which we are finding it hard to fix.One of it is related to access control database related issues.WE use hibernate criteria within our code to fetch records from DB and foritfy complains that the data which get from DB and place into program is from untrusted source.Below is the same code Criteria criteria = hibernatessn.createCriteria("com.vish

问题 I have a code like Session["key"] = "value"; But it is considered as a bad practice according to Fortify SCA with the reason of "Non-Serializable Object Stored in Session". Screenshot as below: What is the best way to solve this? How to make the string "value" to be serializable? 回答1: I think it's a false positive. From Fortify document: In order for the session to be serialized correctly, all objects the application stores as session attributes must declare the [Serializable] attribute.